Detection & Compromise: Secrets from the AWS Secrets Manager

Why go for “Secrets”?

That’s how the attackers dug in, starting off from a console to retrieving secrets, escalating privileges, and deploying their scripts to complete the objectives of their crypto-jacking operation.

Compromising Secrets

Detecting the Compromise

Parsing CloudTrail Data (Athena)

Not interested in learning about Athena or how to parse CTL data using the service? Skip to the next heading: “CloudTrail Log Analysis”

Query Result Location

CloudTrail Log Analysis

Events against the Secrets Manager service
API calls generated from the (potentially) compromised instance
Events from the ‘myadministrator’ user

Other (Potential) Pivots

Mind you — this would also require updates to the key policy of the KMS key so the secret could be decrypted.

Handling Compromised Credentials

Revoke & Rotate

Revoking access keys for users (via IAM)
Rotating credentials for AWS users (via IAM)
Revoking all active sessions (via IAM roles)

Tune Overly-permissive Policies

Delete Resources

Acknowledgements

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics and Cloud! 🚀